On Mon, Feb 24, 2020 at 9:16 AM Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> wrote: > > Use the filesystem type that the selinux-testsuite is running from to be > used for tests/filesystem. Tested types: ext4, xfs, vfat and nfs. > > If testing locally -f <fs_type> can be used to test a specific type. > > For NFS the following example shows how this should be run: > ./tools/nfs.sh filesystem -v -e -f ext4 That example doesn't make much sense to me. If I'm running ./tools/nfs.sh I want to exercise (labeled) nfs, not ext4. > > Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> > --- > diff --git a/policy/test_filesystem.te b/policy/test_filesystem.te > index 09f9d4a..c7d6fc1 100644 > --- a/policy/test_filesystem.te > +++ b/policy/test_filesystem.te > @@ -6,6 +6,28 @@ <snip> > +# Lots of searches required, however this covers up the unlabeled_t NFS bug > +#files_search_all(filesystemdomain) > + > +# > +########## NFS BUG 'unlabeled_t rules' NFS BUG ######################## > +# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1625955 > +# These rules can be commented out to cause the NFS bug when using: > +# mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite > +# And: > +# mount -t nfs -o vers=4.2,fscontext=system_u:object_r:test_filesystem_file_t:s0 > +# localhost:$TESTDIR /mnt/selinux-testsuite > +# > +allow test_filesystem_no_getattr_t unlabeled_t:dir { search }; > +allow test_filesystem_no_mount_t unlabeled_t:dir { search }; > +allow test_filesystem_no_remount_t unlabeled_t:dir { search }; > +allow test_filesystem_no_unmount_t unlabeled_t:dir { search }; > +allow test_move_mount_no_mounton_t unlabeled_t:dir { search }; > +######################## End NFS bug #################### Don't cover up bugs in the testsuite policy or code. If it is a bug, let it fail. > diff --git a/policy/test_filesystem_notify.te b/policy/test_filesystem_notify.te > index 3e8a246..c9ef73a 100644 > --- a/policy/test_filesystem_notify.te > +++ b/policy/test_filesystem_notify.te > @@ -2,15 +2,55 @@ > +# > +########## NFS BUG 'unlabeled_t rules' NFS BUG ######################## > +# Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1625955 > +# These rules can be commented out to cause the NFS bug when using: > +# mount -t nfs -o vers=4.2 localhost:$TESTDIR /mnt/selinux-testsuite > +# And: > +# mount -t nfs -o vers=4.2,fscontext=system_u:object_r:test_filesystem_file_t:s0 > +# localhost:$TESTDIR /mnt/selinux-testsuite > +# > +allow test_filesystem_no_watch_mount_t unlabeled_t:dir { search }; > +allow test_filesystem_no_watch_sb_t unlabeled_t:dir { search }; > +allow test_filesystem_no_watch_t unlabeled_t:dir { search }; > +######################## End NFS bug #################### ditto > diff --git a/tests/filesystem/Filesystem.pm b/tests/filesystem/Filesystem.pm > index a08570a..8a18ddb 100644 > --- a/tests/filesystem/Filesystem.pm > +++ b/tests/filesystem/Filesystem.pm > @@ -1,10 +1,10 @@ > @@ -25,15 +25,26 @@ sub check_config { > $mod_pol_vers = `checkmodule -V | cut -f 2 -d '-'`; > $max_kernel_policy = `cat /sys/fs/selinux/policyvers`; > > - if ( $mod_pol_vers >= 11 and $pol_vers >= 25 and $max_kernel_policy >= 25 ) > - { > - $name_trans = 1; > - $tst_count += 2; > + if ( not $nfs_enabled and not $vfat_enabled ) { > + if ( $mod_pol_vers >= 11 > + and $pol_vers >= 25 > + and $max_kernel_policy >= 25 ) > + { > + $name_trans = 1; > + $tst_count += 2; > + } > + } > + > + $type_trans = 0; > + if ( not $nfs_enabled and not $vfat_enabled ) { > + $type_trans = 1; > + $tst_count += 1; > } Why is this disabled on (labeled) NFS? type_transitions including name-based ones should work there AFAICT. vfat makes sense. > @@ -121,7 +134,7 @@ sub make_fs { > attach_dev( $mk_dev, $mk_dir ); > > print "Make $mk_type filesystem on $mk_dev\n"; > - $result = system("mkfs.$mk_type -I 256 $mk_dev >& /dev/null"); > + $result = system("mkfs.$mk_type $mk_dev >& /dev/null"); What's the effect of dropping -I 256 on ext4 testing? e.g. do we stop testing inline xattrs? > diff --git a/tests/filesystem/test b/tests/filesystem/test > index 78faf72..7074f36 100755 > --- a/tests/filesystem/test > +++ b/tests/filesystem/test > + > + if ($nfs_enabled) { > + $test_count -= 3; # For hooks.c may_create() FILESYSTEM__ASSOCIATE > + $test_count -= > + 3; # For hooks.c selinux_inode_setxattr() FILESYSTEM__ASSOCIATE > + $test_count -= 2; # For additional Test Invalid Mount tests > + $test_count -= 20; # For tests involving multiple *context= options > + if ( $seclabel_type eq 0 ) { > + $test_count -= 4; # If no context option set > + } > + elsif ( $seclabel_type eq 1 ) { > + $test_count -= 2; # If rootcontext option set > + } > + elsif ( $seclabel_type eq 2 ) { > + $test_count -= 2; # If fscontext option set > + } > + } A tad unclear on the rationale for removing all of these. Are they truly not supported by nfs (if so, is that a bug or expected behavior e.g. an inherent difference between network and local filesystems that cannot be addressed without changes to the NFS protocol itself), or are they just not supported by existing policy?
